I have been given the task of bringing multiple development servers currently living a mile away in-house and configuring the network to accommodate them. I’ve done little more than stick jack A into port B up to now, so I’m feeling a little lost. I would greatly appreciate a point in the right direction. If anything I say is ambiguous or doesn’t make sense, feel free to point it out.
Currently we have an ASA 5505, a few Windows servers, and a Linux box. One of the Windows boxes is a DHCP server. All the computers at the office have host files that map convenient host names to local IPs. We have a block of five external IPs: one is dedicated outbound traffic, one is reserved, and I am free to route the remaining three amongst the current and newly arriving machines.
I have questions about almost every step in the process:
- I think I am supposed to have ASA listen to our external IPs through one cable and route them to local IPs via another cable. Is this valid?
- Is there a good practice to follow when choosing which machines get routed to a common IP?
- ASA can be a DHCP server. Would there be a scenario in which I would rather leave that responsibility with the current machine, which will be sent traffic from the ASA?
- We’ll be converting to a DNS server at some point, but for now I think I have to modify the master host file. All the in-house machines listed in the host file have local IPs. Does this mean I give the arriving servers static local IPs and keep them away from the DHCP server?
Thanks for your advice in advance. You have no idea how much this helps, even if just to learn through mistakes on the Internet instead of mistakes in the server room…
- Yes. Keep to discreet inside and outside links for any firewall. Later you can work on using a third link for a DMZ.
- Mostly just sanity. From the outside you are going to have 3 ips that each have a DNS name and maybe some DNS aliases. Try and keep logical stuff together. All the mail on one IP, web and ftp and other data services on 1. Mostly just so it seems to make sense from the outside so you don’t confuse yourself. If you have access to outside DNS be liberal with the aliases so you can move services from IP to IP and you’ll care even less.
- Stick with server DHCP. With Windows or other OSes you can likely tie your DHCP to DNS so even the non-static machines show up in DNS.
- Anything the firewall is going to pass traffic to, use static addresses with.